CVE-2010-3971, Not Quite the Weekend Warrior

Today, the MSRC is releasing an update to address an Internet Explorer 0-day vulnerability (CVE-2010-3971), originally posted by a researcher to Full Disclosure in early Dec. Since the public disclosure took place, we, along with other MAPP partners, have been monitoring closely for malicious exploitation to keep tabs on the threat this issue posed to our customers.

In late December, just before Christmas, we started seeing the first signs that attackers were actively trying to exploit this vulnerability. Even so, the volume of attack attempts were quite low, especially in comparison to other 0-day vulnerabilities of the past year. With the exception of a surge on Jan. 5th, the MMPC received reports from less than 50 computers per day up until late Jan. when the reports started to pick up.

For comparison’s sake, you can contrast the volume we monitored with this attack with other 0-day vulnerabilities that required an out-of-band update. One of the most recent examples is CVE-2010-2568, the Shortcut vulnerability. A few weeks after the vulnerability was discovered, other malware families picked up the technique and exploitation volume picked up. The following chart shows the first 51 days of monitoring each issue – the contrast between the two is pretty significant.

When you examine the geographical location of the targets for CVE-2010-3971, these attack attempts bear a close resemblance to those targeting CVE-2010-3962, another Internet Explorer issue we blogged about in Dec. that we dubbed the Weekend Warrior. Although attack attempts on today’s issue were much lower in volume, the patterns are similar from a geographical perspective – spikes of activity reported by users in Korea, with some reports from users in the US and China.

As always, we encourage you to apply Microsoft Security Bulletin MS11-003 as soon as possible. And, by the way, if you’re running Windows XP, make sure you install the Autorun-related updates for that platform. See our first post today to hear more about Autorun worms and how we hope this change will affect them.